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Abstract. We study the model-checking problem for a quantitative extension of the 
modal /i-calculus on a class of hybrid systems. Qualitative model checking has been proved 
decidable and implemented for several classes of systems, but this is not the case for quan- 
titative questions that arise naturally in this context. Recently, quantitative formalisms 
that subsume classical temporal logics and allow the measurement of interesting quan- 
titative phenomena were introduced. We show how a powerful quantitative logic, the 
quantitative /i-calculus, can be model checked with arbitrary precision on initialised linear 
hybrid systems. To this end, we develop new techniques for the discretisation of continuous 
state spaces based on a special class of strategies in model-checking games and present a 
reduction to a class of counter parity games. 



Modelling discrete-continuous systems by a hybrid of a discrete transition system and con- 
tinuous variables which evolve according to a set of differential equations is widely accepted 
in engineering. While model-checking techniques have been applied to verify safety, live- 
ness and other temporal properties of such systems [II CHI OS], it is also interesting to infer 
quantitative values for certain queries. For example, one may not only want to check that a 
variable of a system does not exceed a given threshold, but also to compute the maximum 
value of the variable over all runs, checking whether any such threshold exists. 

Thus far, quantitative testing of hybrid systems has only been done by simulation, and 
hence lacks the strong guarantees which can be given by model checking. In recent years, 
there has been a strong interest in extending classical model-checking techniques and logics 
to the quantitative setting. Several quantitative temporal logics have been introduced, see 
e.g. EJ [7J QUI HH HZ], together with model-checking algorithms for simple classes 
of systems, such as finite transition systems with discounts. Still, none of those systems 
allowed for dynamically changing continuous variables. We present the first model-checking 
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algorithm for a non-stochastic quantitative temporal logic on a class of hybrid systems. The 
logic we consider, the quantitative //-calculus [8], is based on a formalism first introduced 
in [6]. It properly subsumes the standard //-calculus, cf. [4J, and thus also CTL and 
LTL. Therefore the present result, namely that it is possible to model check quantitative 
//-calculus on initialised linear hybrid systems, properly generalises a previous result on 
model checking LTL on such systems [14] [15], which is one of the strongest model-checking 
results for hybrid systems. 

The restriction to initialised linear systems is made because verification of temporal 
properties over general hybrid systems is undecidable. This holds even for linear systems, 
thus one must pick an appropriate abstraction of the system. An established and very 
well-studied way to do this is to first approximate the continuous behaviour of the variables 
by linear behaviour in a finite number of intervals. This method, applied to a number of 
functions fi(x), . . . , f m (x) that evolve according to a set of arbitrary differential equations 
T>(f\, . . . , / m ), generates a set of disjoint intervals Jx, . . . , with 1% U . . . U If. = M and a set 
of linear coefficients a^, 6^ such that in Ij it is approximately true that fi(x) = aj-x+b?, i.e. 
the derivative ^jf = a\. There are several ways to generate such linear approximations of 
solutions of differential equations and, depending on the method in question, one can obtain 
various kinds of error bounds for the respective classes of functions. We do not investigate 
these issues (or other approximation methods) here, but focus instead on the linear system 
obtained. 

As stated above, even simple qualitative verification problems are undecidable for gen- 
eral hybrid systems. This remains true even after the natural approximation by a linear 
system. Hence, one more assumption is made, namely that if the speed of evolution of a 
variable changes between discrete locations then also the variable is reset on that transition. 
Systems with this property, called initialised linear systems, are - besides o-minimal systems 
|16[ [3] and their recent extensions (TSj - one of the largest classes of hybrid systems with de- 
cidable temporal logic [15]. Observe that when an arbitrary hybrid system is approximated 
by a linear one, one can try to directly obtain an initialised system by computing boundary 
values [13] . This can be done by either assuring that discrete transitions are taken only at 
the borders of the intervals Ij, or by taking a finer subdivision of the intervals to increase 
the precision of coordination between the discrete and the continuous part of the system. 
Note that, even though this procedure has been implemented in model-checking programs, 
it is only a heuristic - it necessarily fails for general systems for which the model-checking 
problem is undecidable. 

The logic we study is quantitative - it allows to express properties involving suprema 
and infima of values of the considered variables during runs that satisfy various temporal 
properties, e.g. to answer "what is the maximal temperature on a run during which a 
safety condition holds?" . To model check formulae of the quantitative //-calculus, we follow 
the classical parity game-based approach and adapt some of the methods developed in the 
qualitative case and for timed systems. To our surprise, these methods turned out not 
to be sufficient and did not easily generalise to the quantitative case. As we will show 
below, the quantitative systems we study behave in a substantially different way than their 
qualitative counterparts. We overcome this problem by working directly with a quantitative 
equivalence relation, roughly similar to the region graph for timed automata, and finally by 
exploiting a recent result on counter parity games. 

Organisation. The organisation of this paper follows the reductions needed to model 
check a formula <p over a hybrid system K,. In Section[2j we introduce the necessary notation, 
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the systems and the logic. Then, we present an appropriate game model in Section [3] and 
show how to construct a model-checking game Q for the system and the formula. In Section 
U we transform the interval games constructed for arbitrary initialised linear hybrid systems 
to flat games, where the linear coefficients are always 1. In Section we show how the 
strategies can be discretised and still lead to a good approximation of the original game. 
Finally, in Section [6l we reduce the problem to counter parity games and exploit a recent 
result to solve them. To sum up, the steps taken are depicted below. 

tC, cp model-checking game Q flat Q counter-reset Q value. 

2. Hybrid Systems and Quantitative Logics 

We denote the real and rational numbers and integers extended with both oo and — oo by 
I^oo, Qoo and Zqo respectively. We write Z(Z 00 ),I(Q 00 ) and Z(Moo) for all open or closed 
intervals over Moo with endpoints in ZqcQoq and Moo- 

Definition 2.1. A linear hybrid system over M variables, K, = (V, E, {Pj}j g j, A, 5), is based 
on a directed graph (V, E), consisting of a set of locations V and transitions E V xV . The 
labelling function A : E — > V^^Cm) assigns to each transition a finite set of labels. The set 
Cm of transition labels consists of triples I = (I, C, R), where the vector C = (Ci, . . . , Cm) 
(with Ci G X(M 00 ) for i G {1, . . . , M}) represents the constraints each of the variables needs 
to satisfy for the transition to be allowed, the interval / G I(R^ ) represents the possible 
period of time that elapses before the transition is taken, and the reset set R contains the 
indices of the variables that are reset during the transition, i.e. i G R means that ?/, is set to 
zero. For each i of the finite index set J, the function Pj : V — > Moo assigns to each location 
the value of the static quantitative predicate Pi. The function 5 : V — > M A/ assigns to 
each location and variable yi the coefficient dj such that the variable evolves in this location 
according to the equation ^ = a.;. 

Please note that although we do not explicitly have any invariants (or constraints) in 
locations, we can simulate them by choosing either the time intervals or variable constraints 
on the outgoing transitions accordingly. If the values of predicates and labels range over 
Qoo or Zoo instead of Moo we talk about linear hybrid systems over Q and Z, respectively. 

The state of a linear hybrid system K is a location combined with a valuation of all M 
variables, S = ^x R^- For a state s = (v, yi, . . . , y^f) we say that a transition (v, v') € E 
is allowed by a label (J, C, R) G X((v, v')) ifyGC (i.e. if yi <E Ci for alH = 1, . . . , M). We 
say that a state s' = (v' , y[, . . . , y' M ) is a successor of s, denoted s' € succ(s), when there is 
a transition (v,v') E E, allowed by label (I,C,R), such that y'i = for all i G R and there 
is a t € / such that y[ = yi + (aj • t) where = 5i(v) for all i R G X((v,v')). A run of 
a linear hybrid system starting from location vq is a sequence of states sq, s±, . . . such that 
•so = ( v 0i 0, . . . , 0) and Si+i G succ(sj) for all i. Given two states s and s' G succ(s) and a 
reset set R ^ {1, . . . , M} we denote by s' — Ft s the increase of the non-reset variables that 

occurred during the transition, i.e. * ' for some i R where s = (v,y) and s' = (v',y r ). 

Definition 2.2. A linear hybrid system fC is initialised if for each (v , w) G E and each 
variable it holds that if 5i{v) ^ 5i(w) then i G R for R G X((v,w)). 

Intuitively, an initialised system cannot store the value of a variable whose evolution 
rate changes from one location to another. 
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„ R= {yo},y e [30,40] 

P = OO P = — oo 



dyo 




{Vo} 



Figure 1: Leaking gas burner LHS £ = (V, E, P, A, 6) (not initialised) 



H= {j/o},2/o S [30,40] 
P = OO — . = — oo 



dyo _ i dj/i. _ i 

dt ~ ' dt — x 




A = {yo} 



Figure 2: Leaking gas burner LHS C = (V, E, P, A, 5) (initialised) 

Example 2.3. To clarify the notions we use, we consider a variant of a standard example 
for a linear hybrid system, the leaking gas burner. 

Our version is depicted in Figure [TJ This system represents a gas valve that can leak 
gas to a burner, so it has two states: vo, where the valve is open (and leaking gas) and v\ 
where it is closed. This is also indicated by a qualitative predicate P that has the value 
oo if the gas is leaking (in location vq) and — oo otherwise. The system has two variables. 
The first variable, yo, is a clock measuring the time spent in each location, and is reset on 
each transition, i.e. after each discrete system change. The variable y\ is a stop watch and 
measures the total time spent in the leaking location. Thus, this system is not initialised. 
The time intervals on the transitions control the behaviour of the system. On the transi- 
tion {vq,v\) there are no restrictions on the variables, but we are only allowed to choose a 
time unit from [0, 1], i.e. we can stay a maximum of one time unit in location vq. On the 
transition (v\, Vq) there is a restriction on the value of yo, it has to have a value between 30 
and 40 for this transition to be allowed, while there is no restriction on the choice for the 
time unit (of course, this could also be modelled the other way around). Intuitively, the 
time intervals indicate that the gas valve will leak gas for a time interval between and 1 
seconds and then be stopped and that it can only leak again after at least 30 time units. 



In Figure [21 we show an initialised version of the leaking gas burner. The only difference 
is that y\ is not a stop watch anymore but a normal clock. Since now both variables are just 
clocks (which means that their evolution rates are one everywhere), the system is trivially 
initialised. 



2.1. Quantitative /^-Calculus. In this section, we present a version of the quantitative 
//-calculus first introduced in [8]. The version we use here is additive and includes variables. 
It is evaluated on linear hybrid systems. 

Definition 2.4. Given sets of fixpoint variables X, system variables {yi, • • • , 2/m} an d 
predicates {Pj}j g j, the formulae of the quantitative ^-calculus (Q\i) with variables are given 
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by the EBNF grammar: 

tp ::= Pi | Xj | yk j -19? I <p A <p \ (p V <p \ Ocp \ §p \ [iXj.ip \ vXj.ip , 

where Xj £ X, y^ € {y\, . . . , 2/m}; and in the cases fj,Xj.(p and vXj.<p, the variable must 
appear positively in 99, i.e. under an even number of negations. 

Let T = {/ : 5 — > Moo}- Given an interpretation 3 : — > J 7 , a variable le^, and 
a function / € J 7 , we denote by 3[X /] the interpretation 3', such that = / and 

J'(X') = 3{X') for all X' + X. 

Definition 2.5. Given a linear hybrid system /C = (V, J5 3 A, {Pj}j g j, 5) and an interpreta- 
tion 3, a Q//-formula yields a valuation function [[</?] 3 : S — )• Moo defined in the following 
standard way for a state s = (v s , yf , . . . , y s M )- 

. [Pil« (a) = Pi(v>), iXj^s) = 3(X)(s), and ly^(s) = yf, = 

• A = min{[^]^ [rf} and V = maxj^f, [rf}, 

• [OdftOO = su Ps , £succ(s) M$V) and = inf s , esucc(s) [v#(s'), 
. [//X^f = inf{/ £J:/= Mg^}, 

lvX.<p\% = sup{/ £J:/= M^/]}- 

For formulae without free variables we write \_<p\ rather than . 

Please note that the inclusion of variables does not fundamentally change the semantics 
of quantitative //-calculus. The quantitative //-calculus in [8j is evaluated on quantitative 
transition systems. Here, a formula is evaluated on the state graph of a linear hybrid system, 
rather than the system itself. Intuitively, a linear hybrid system is a compact representation 
of an infinite quantitative transition system (its state graph). Thus, many properties of the 
quantitative //-calculus from [8] remain true. For example, to embed the classical //-calculus 
in quantitative //-calculus one must interpret true as +00 and false as —00. 

Example 2.6. The formula fiX.(()X V y{) evaluates to the supremum of the values of y\ 
on all runs from some initial state: e.g. to 00 if evaluated on the simple initialised leaking 
gas burner model. To determine the longest period of time during which the gas is leaking 
we use the formula \iX.(§X V (yo AP)), which evaluates to 1 on the initial state (vq, 0) in 
our example. 

The remainder of this paper is dedicated to the proof of our following main result which 
shows that [</?]] ^ can be approximated with arbitrary precision on initialised linear hybrid 
systems. 

Theorem 2.7. Given an initialised linear hybrid system IC, a quantitative fi-calculus for- 
mula (p and an integer n > 0, it is decidable whether [ip\ = 00, Jy?]^ = —00, or else a 
number r £ Q can be computed such that — r\ < —. 

In other words, for every e we can approximate [y] within e. We formulated the 
theorem above using n because it makes the representation of e precise, so we can provide 
a complexity bound: Given on input the system /C, the formula ip and n, we will show how 
to compute the number r (or output ±00) in 8EXPTIME. 
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3. Interval Games 



In this section, we define a variant of quantitative parity games suited for model checking 
Qp on linear hybrid systems. As mentioned above, a linear hybrid system can be seen as 
a compact representation of an infinite quantitative transition system. Similarly, a parity 
game that is played on a linear hybrid system can be viewed as a compact, finite description 
of an infinite quantitative parity game, as defined in [8]. 



Definition 3.1. An interval parity game (IPG) Q = (Vo, V±, E, A, S, i, 0), is played on a 
LHS (V, E, A, 5) (without predicates) and V = Vq U V\ is divided into positions of either 
Player or 1. The transition relation E C V x V describes possible moves in the game 
which are labelled by the function A : E — > Vsh(Cm)- The function i : V — > M x Rqo x Mqo 
assigns to each position the index of a variable and a multiplicative and additive factor, 
which are used to calculate the payoff if a play ends in this position. The priority function 
O : V — > {0, . . . , d} assigns a priority to every position. 

Please note that interval parity games are played on linear hybrid systems without any 
quantitative predicates, i.e. the set of of predicates is empty and therefore omitted. 

A state s = (v,y) G V x of an interval game is a position in the game graph 
together with a variable assignment for all M variables. A state s' is a successor of s if it 
is a successor in the underlying LHS, i.e. if s' G succ(s). We use the functions loc(s) = v 
and var(s) = y, varj(s) = to access the components of a state. For a real number r, we 
denote by r • s = (v, r ■ varo(s), . . . r • var^(s)) and r + s = (v, r + varo(s), . . . r + var/if (s))- 
We call Si the state set {s = (v,y) : v G V{\ where player i has to move and S = Sq U Si. 

How to play. Every play starts at some position v € V with all variables set to 0, 
i.e. the starting state is so = (v ,0, . . . , 0). For every state s = (v,y) € Sj, player i chooses 
an allowed successor state s' G succ(s) and the play proceeds from s'. If the play reaches a 
state s such that succ(s) = it ends, otherwise the play is infinite. 

Intuitively, the players choose the time period they want to spend in a location before 
taking a specified transition. Note that in this game every position could possibly be a 
terminal position. This is the case if it is not possible to choose a time period from the 
given intervals in such a way that the respective constraints on all variables are fulfilled. 

Payoffs. The outcome p(so-..Sfc) of a finite play ending in = (v,yi,...,yj^) where 
l(v) = (i, a, b) is p(s/%) = a-yi + b. To improve readability, from now on we will simply write 
l(v) = a ■ yi + b in this case. The outcome of an infinite play depends only on the lowest 
priority seen infinitely often in positions of the play. We will assign the value — oo to every 
infinite play, where the lowest priority seen infinitely often is odd, and oo to those where it 
is even. 

Goals. The two players have opposing objectives regarding the outcome of the play. 
Player wants to maximise the outcome, while Player 1 wants to minimise it. 

Strategies. A strategy for player i G 0, 1 is a function a : S*Si —> S with a(s) G 
succ(s). A play ir = sqSi ... is consistent with a strategy a for player i, if s n+ i = a(so ■ ■ ■ s n ) 
for every n such that s n G Si. For strategies a, p for the two players, we denote by ir(a, p, s) 
the unique play starting in state s which is consistent with both a and p. 

Determinacy. A game is determined if, for each state s, the highest outcome Player 
can assure from this state and the lowest outcome Player 1 can assure coincide, 

sup inf p(7r(<7, p, s)) = inf sup p(tt(o", p, s)) =: valG(s), 
o-gr peri peri o-er 
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where ]?o, Ti are the sets of all possible strategies for Player 0, Player 1 and the achieved 
outcome is called the value of Q at s. 

We say that the interval game is over Q or Z if both the underlying LHS and all 
constants in i(v) are of the respective kind. Please note that this does not mean that the 
players have to choose their values from Q or Z, just that the endpoints of the intervals and 
constants in the payoffs are in those sets. 

Intuitively, in a play of an interval parity game, the players choose successors of the 
current state as long as possible. 

Example 3.2. In Figure [31 we show a simple example of an interval parity game. Positions 
of Player are depicted as circles and positions of Player 1 as boxes. To keep things 
simple, there is just one clock variable, yo, all constraints are trivially true and the reset 
sets are empty, so we label the transitions only with the time intervals that the players 
can choose from. The priorities are depicted next to the nodes for non-terminal positions 
and the evaluation function above the terminal position (in general, also positions with 
outgoing edges could be terminal, however in this example this is not possible as there are 
no constraints on the variable). 

A play of this system starting at node vq could end after two moves in position V2, 
if Player 1 decided to move there (he also has the choice to move down). The payoff of 
this play would then depend only on the choice that Player made in the first move, for 
example | € [0, Then the payoff would be 3 • (| + 2) — 1 = 6 (as in this play, the second 
time interval only permits the choice 2). 

If Player 1 would move down instead of ending the play and the play would loop 
infinitely often in the cycle ^3,^4,^5 at the bottom, the least priority that occurs infinitely 
often would determine the outcome of the play; in this case it would be at v 3 and therefore 
the payoff would be 00. 




Figure 3: Simple interval parity game 

We already mentioned that an interval parity game can be seen as a representation of 
a quantitative parity game, now we want to describe this formally. We use the notion from 
[8] and define, for an IPG with M variables Q = (Vq, Vi, E, X, 6, l, fi), the corresponding 
infinite quantitative parity game without discounts Q* = (Vq x M^,Pi x R^, E*, A*, S7*) 
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with (s, s') € E* iff s' is a successor of s as above, Q*(-u, z) = £l(v) and A*(t> , z) = a ■ z% + j3 
iff i(y) = a ■ yi + (3. The notions of plays, strategies, values and determinacy for the IPG Q 
are defined exactly as the ones for the quantitative parity game Q* in [8]. In particular, it 
follows from the determinacy of quantitative parity games that also interval parity games 
are determined. 

3.1. Model- Checking Games for QpL. A game (G,v) is a model-checking game for a 
formula ip and a system IC, v', if the value of the game starting from v is exactly the value 
of the formula evaluated on IC at v' . In the qualitative case, that means, that (p holds in 
IC, v' if Player wins in Q from v. For a linear hybrid system fC and a Q^-formula ip, we 
construct an IPG MC[/C, cp] which is the model-checking game for p on fC. 

The full definition of MC[/C, <p] closely follows the construction presented in [8\ and is 
presented below. 

Intuitively, the positions are pairs consisting of a subformula of <p and a location of IC. 
Which player moves at which position depends on the outermost operator of the subformula. 
At disjunctions Player moves to a position corresponding to one of the disjuncts and from 
((}p,v) to (p>,w) where (v,w) £ E^, and Player 1 makes analogous moves for conjunctions 
and □. From fixed-point variables the play moves back to the defining formula and the 
priorities of positions depends on the alternation level of fixed points, assigning odd priorities 
to least fixed points and even priorities to greatest fixed points. 

Definition 3.3. For a linear hybrid system IC = (V, E, {Pj}j e j, A, 8) and a Q/U-formula <p 
in negation normal form, the interval game 

MC[lC,tp} = (V ,V 1 ,E,\,5,L,n), 

which we call the model- checking game for IC and ip, is constructed in the following way, 
similar to the standard construction of model-checking games for the /x-calculus (c.f. [8]). 

Positions. The positions of the game are pairs (ip,v), where ip is a subformula of p>, 
and v E V is a location in the LHS IC. Positions (ip, v) where the top operator of ip is □, A, 
or v belong to Player 1 and all other positions belong to Player 0. A state in the game is 
denoted by s = (p,y), where p = (ip,v) is the position and y is the variable assignment of 
the location v in the underlying linear hybrid system IC. 

Moves. Positions of the form (Pi,v) and (yi,v) are terminal positions. From positions 
of the form (ip A 0,v), resp. (ip V 9,v), one can move to (ip,v) or to (9,v). Positions of 
the form (()ip,v) have either a single successor (— oo) in case v is a terminal location in 
IC, or one successor (ip, v') for every v' € vE. Analogously, positions of the form (dip, v) 
have a single successor (oo) if vE = 0, or one successor (ip,v') for every v' € vE otherwise. 
The moves corresponding to system moves (v,v') are labelled accordingly with X((v,v')), 
all other moves are labelled with the empty label ([0, 0], (— oo, oo) M , 0) which indicates that 
no time passes, there are no constraints on the variables and no variable is reset. Fixed- 
point positions (fxX .ip , v) , resp. (uX.ip,v) have a single successor (ip,v). Whenever one 
encounters a position where the fixed-point variable stands alone, i.e. (X, v'), the play goes 
back to the corresponding definition, to (ip,v'). 

Payoffs. The function i assigns to all positions (Pi,v), ±oo to all positions 

(±oo) and yi to positions (yi,v). To discourage the players from ending the game at any 
other position than a terminal one, t assigns all other positions outcome — oo for Player 0's 
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Figure 4: Model-checking game for fj,X.(()X V (yo A P)) on initialised leaking gas burner. 

positions or oo for Player l's positions. The payoff p(7r) of a play tt is calculated using t 
and the priorities as stated before. 

Priorities. The priority function fi is defined as in the classical case using the alter- 
nation level of the fixed-point variables, see e.g. [12] . Positions (X,v) get a lower priority 
than positions (X',v') if X has a lower alternation level than X'. The priorities are then 
adjusted to have the right parity, such that an even value is assigned to all positions (X, v) 
where X is a ^-variable and an odd value to those where X is a /^-variable. The maximum 
priority, equal to the alternation depth of the formula, is assigned to all other positions. 

Example 3.4. We continue our example of the leaking gas burner and present in Figured] 
the model-checking game for the previously introduced system and formula. In this interval 
parity game, ellipses depict positions of Player and rectangles those of Player 1. In this 
game, all priorities are odd (and therefore omitted), i.e. infinite plays are bad for Player 0. 
There is only one position with a constraints on variable yo and in only two positions a 
choice about the time that passes can be made. Both of these positions belong to Player 
in this example and are labelled with the corresponding intervals below (and in both yo is 
also reset). In terminal nodes, either the variable yo ° r the predicate P is evaluated for the 
payoff (this choice can be made by Player 1 in this example). The value of the game is 1, as 
is the value of the formula on the system starting from either node, and an optimal strategy 
for Player is picking 1 from [0, 1] and then leaving the cycle where Player 1 is forced to 
choose between the evaluation of yo or P v%. Since he is minimising, he will choose to 
evaluate yo- 

It has been shown in [8] that quantitative parity games of any size are determined and 
that they are model-checking games for Qfj>. These results translate to interval parity games 
and we can conclude the following. 

Theorem 3.5. Every interval parity game is determined and for every formula ip in Qfi, 
linear hybrid system fC, and a location v of JC, it holds that 

vaMCllC,<p}((<p,v),0) = l<pf(v,0). 

Proof. Determinacy of an interval parity game Q follows directly from the determinacy of 
the infinite QPG Q* used to define Q. 

Let ip be a Q //-formula and JC a linear hybrid system. Let S(JC) = (S,E S ) be the state 
graph of JC, where S is the set of all states, and (s, s') € E s iff s' 6 succ(s) in JC. Let 
JC* = (S,E s ,P yo . . -Py M ) be the quantitative transition system with predicates P Vi where 
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P yi (y,a) = a>i. Let us also rewrite the formula (p into a formula without variables, (p* , by 
replacing each occurrence of yi by the corresponding P yi . 

Applying the model-checking Theorem 12 from [8] we conclude that for all v £ /C* it 
holds valMC[/C, v?]*(v?, f ) = [y]* (u), i.e. that MC[K,,tp}* is the model-checking game for 
/C* and 99*. Finally, by definition of IPGs on the one hand and the semantics of Qfi on the 
other, it follows that for all x 



4. Basic Properties of Interval Games 

In this section, we first give a brief example that illustrates the difference between interval 
games and timed games. Then, we show how to transform an initialised interval game over 
Qoo into an easier game over in which the all evolution rates are one. 

At first sight, interval games seem to be very similar to timed games. Simple timed 
games are solved by playing on the region graph and can thus be discretised. To stress that 
quantitative payoffs indeed make a difference, we present in Figure [5] an initialised interval 
parity game with the interesting property that it is not optimal to play integer values, even 
though the underlying system is over Zoo> This simple game contains only one variable (a 
clock) and has no constraints on this variable in any of the transitions, so only the time 
intervals are shown. Also, as infinite plays are not possible, the priorities are omitted, as 
well as the indices of non-terminal positions (they are chosen to be unfavourable for the 
current player such that she has to continue playing) . The payoff rule specifies the outcome 
of a play tt ending in V2 as p{ir) = yo — 1 and in v$ as p(tt) = —yo. This game illustrates 
that it may not be optimal to play integer values since choosing time ^ in the first move is 
optimal for Player 0. This move guarantees an outcome of — \ which is equal to the value 
of the game. 




t-(v 2 ) = yo - 1 t(v3) = -yo 



Figure 5: Game with integer coefficients and non-integer value. 



4.1. Flattening Initialised Interval Games. So far, we have considered games where 
the values of variables can change at different rates during the time spent in locations. In 
this section, we show that for initialised games it is sufficient to look at easier games where 
all rates are one, similar to timed games but with more complex payoff rules. We call these 
games flat and show that for every initialised IPG we can construct a flat IPG with the 
same value. To do so, we have to consider the regions where the coefficients do not change 
and rescale the constraints and payoffs accordingly. 

For an interval / = 12], we denote by q ■ I and q + I the intervals [q ■ i%, q ■ 12] and 
[q + h,q + 12] respectively, and do analogously for open intervals. 
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Definition 4.1. An interval parity game Q = (Vb, V\, E, X, 8, i, Q.) is flat if and only if 
5i(v) = 1 for all v G V and i = l...M. 

Lemma 4.2. For each initialised interval parity game Q there exists a flat game Q' with 
the same value. 

Proof. Let Q = (Vb, V\, E, X, 8, l, Q) be an initialised interval parity game. We construct 
a corresponding flat game Q' = (Vb, V"i, E, A', 8', t! , fi) in the following way: For a position 
v G V = Vo U V\ and each variable such that 8i{v ) = ai, l(v) = a - yi + b and an outgoing 
edge (v, w) with C« = [co, Ci] we have in the corresponding flat game: 

• S<(v) = 1 

. V i e\'(v t w) = [*%] = iC i 

• l'(v) = ai ■ a ■ yi + b 

Note that we only change the functions 8, A and l. We will show that for every play tt from 
a starting state s consistent with a and p, we can construct strategies a' , p', such that 
tt'(o~', p', s') visits the same locations as it and p(vr) = p(7r'). Before we proceed with the 
proof, notice that it is essential that Q is an initialised game. Intuitively, the value of yi in 
Q' is the value of y^ in Q divided by the coefficient cij of the current position. When the 
position changes, it is thus crucial that a{ does not change, except if yi is reset - exactly 
what is required from an initialised game. 

The proof proceeds by induction on the length of the plays. First, if so = (wo>0) is a 
state belonging to Player and <j(sq) = s\ = (vi,x) and s' = (vq,0), then in Q' we define 
cr'(s' ) = s[, where s[ = (vi,y r ), such that y\ = ^ for any yi R € \(vo, v\). Since (so, s\) is 
allowed in Q, this means that for all yi R G X(vq, vi), we have yi £ Ci = [co, ci] G A(uo, v±). 
It follows that ^ < y • = ^ < ^ for all j/j and therefore (s , s'J is allowed in Also 
p(si) = i(vi) = a ■ yi + b and therefore the payoff is equal to p(s[) = t'(v[) = ai ■ a ■ ^ + b. 

Let so • • • s k an d s' . . . s' k be finite histories in Q and Q 1 ', such that they visit the same 
locations and p(7r) = p(vr'). Then, if Sk = (vk,y) is a state belonging to Player and cr(sfc) = 
Sk+i = (yk+i,y) and s' k = (vk,z), then in Q' we define a'(s' k ) = s' k+1 , where s' k+1 = (v k ,w), 
such that Wi = t where U = ^ for any j/j ^ i? G A(t>fc, -Ufc+i). Since (s^, s^+i) is allowed in 
^, this means that for all y { R, yi G Q = [c ,ci] G A(u fc ,u fc+ i). As ^ < to, = ^ < a. 
for all yi G" i?, we get that (s' k , s' k+1 ) is allowed in Q' . Also p(sjt) = i{vk) = a ■ yi + b and 
therefore the payoff is equal to p(s^ +1 ) = i!{y' k+l ) = ai ■ a ■ Wi + b = ai ■ a ■ ^ + b. 

The cases for Player 1 are analogous. Note that, for infinite plays, we also have the 
same payoff, since for the payoff of infinite games only the locations (and their priorities) 
matter. Since we can construct, for each pair of strategies in Q, the corresponding strategies 
in Q' , and those yield a play with the same payoff, the values of the two games are equal. □ 

Consequently, from now on we only consider flat interval parity games and therefore 
omit the coefficients, as they are all equal to one. 

4.2. Multiplying Interval Games. 

Definition 4.3. For a flat IPG Q = (Vq, Vi, E, A, i, Q) and a value q G Q, we denote by 
q • Q = (V, E, A', t! , fi) the IPG where t'(v) = a ■ yi + q ■ b iff i(v) = a ■ yi + b for all v G V, 
and {I',C f ,R) G X'((v,w)) iff (I,C,R) G X((v,w)) with /' = q ■ I and C'i = q ■ C t for all 
(v,w) G E. 
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Intuitively, this means that all endpoints in the time intervals (open and closed), and 
the constraints, and all additive values in the payoff function t are multiplied by q. The 
values of q ■ Q are also equal to the values of Q multiplied by q. 

Lemma 4.4. For every IPG Q over Qoo arid, q £ Q, q ^ it holds in all states s that 
q ■ valQ(s) = val q ■ Q(q ■ s). 

Proof. We denote by q ■ a the strategy with q ■ a(q • h) = q ■ s' iff o~(h) = s'. The mapping of 
Q with strategies for both players a and p to q • Q with q ■ a and q ■ p is a bijection (in the 
reverse direction take |). We also have q ■ pg(ir(o~, p, s) = sqSi . . . s&) = q ■ (a ■ yi + b) where 
u(loc(sk)) = (a, i, b) which is equal to p q .g(n(q • a,q- p,q- s) = q- sq . . . q- Sk) = a-(q-y.i)+q-b 
for all finite plays ir. Therefore, we know that inf p q ■ p(vr(<T, p, s) = ini q . p p(n(q ■ a,q • p,q • s) 
and the same holds for the supremum and thus we get the desired result. □ 

Note that all multiplicative factors in t are the same in Q and in q ■ Q. Moreover, if we 
multiply all constants in i in a game Q (both the multiplicative and the additive ones) by 
a positive value r, then the value of Q will be multiplied by r, by an analogous argument 
as above. Thus, if we first take r as the least common multiple of all denominators of 
multiplicative factors in i and multiply all l constants as above, and then take q as the least 
common multiple of all denominators of endpoints in the intervals and additive factors in 
the resulting game Q and build q ■ Q, we can conclude the following. 

Corollary 4.5. For every finite IPG Q over Qoo, there exists an IPG Q' over and 
q,r£Z such that val£(s) = valg J g ' s) . 

From now on we assume that every IPG we investigate is a flat game over when 
not explicitly stated otherwise. 

5. Discrete Strategies 

Our goal in this section is to show that it suffices to use a simple kind of (almost) discrete 
strategies to approximate the value of flat interval parity games over ^oo* To this end, 
we define an equivalence relation between states whose variables belong to the same Z 
intervals. This equivalence, resembling the standard methods used to build the region 
graph from timed automata, is a technical tool needed to compare the values of the game 
in similar states. 

We use the standard meaning of [r\ and \r~\ , and denote by {r} the number r — [r\ 
and by [r] the pair ([^J, |V~|)- Hence, when writing [r] = [s], we mean that r and s lie in 
between the same integers. Note that if r G Z then [r] = [s] implies that r = s. 

Definition 5.1. We say that two states s and t in an IPG are equivalent, s ~ t, if they are 
in the same location, loc(s) = loc(t), and for all i,j £{!,... ,K}: 

• [varj(s)] = [varj(t)], and 

• if {varj(s)} < {varj(s)} then {varj(f)} < {var j(t)}. 

Intuitively, all variables lie in the same integer intervals and the order of fractional parts 
is preserved. In particular, it follows that all integer variables are equal. The following 
technical lemma allows for the shifting of moves between ~-states. 
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Lemma 5.2. Let s and s' be two states in a flat IPG over Z such that s ~ s'. If a move 
from s to t is allowed by a label I = (J, C, R), then there exists a state t' , the move to which 
from s' is allowed by the same label I and t' ~ t. 

Proof. If R = {1, . . . , K} then let t' = t. As s ~ s', the same constraints are satisfied by s 
and s' and thus the move from s' to t' = t is allowed by the same label. 

If R 7^ {1, . . . , K} then let w = t—RS 6 I be the increment chosen during the move. If 
KiGZwe let t' = s' + w, the conditions follow from the assumption that s ~ s' again. 

If it; Z, let i be the index of a non-reset variable with the smallest fractional part in t, 
i.e. {varj(f)} < {varj(f)} for all j £ R. To construct t', we must choose «/ with [w 1 ] = [w] 
which makes varj(V + w') the one with smallest fractional part. 

Case 1: {varj(t)} > {w}. 
In this case, for all non-reset variables j, holds {vsxj(t)} > {w}, intuitively meaning that 
no variable "jumped" above an integer due to {w}. Let I be the variable with maximum 
fractional part in s' (and thus, by definition of ~, also in s and in this case in t). Set 

w' = [w\ + 0.9 • ([var;(s')] — var/(s')) . 

Clearly [w r ] = [w] and indeed, we preserved the order of fractional parts and integer inter- 
vals, thus ~ is preserved. 

{varj(s)} {varj(t)} {var;(s')} 1 
1 1 1 1 1 



{w} [wi(s')l - varj(s') 

Figure 6: Lemma 15.21 Case 1 

Case 2: {varj(i)} < {w} and for all j R {varj(s')} > {varj(s')}. 
In this case, for all non-reset variables j, holds {varj(i)} < {w}, intuitively meaning that 
all variables "jumped" above an integer due to {w}. Let I be the variable with maximum 
fractional part in s' (and thus also in s). Let 

5 = 0.9 • min ({var^s')}, ([var/(s')] - varj(s'))) 

be a number smaller than both {varj(s')} and [var/(s')] — varj(s'). We set 

w' = \ w\ + [varj(s')] — varj(s') + 5. 

By the first assumption on 5 we have [w'] = [w] and both the order of fractional parts and 
integer bounds in t' are the same as in t, since 

[var/(i')l = rvar/(s' + w')] < [var^(s') + [w\ + 1 + 6] = [var z (t)] 

by the second assumption on 5. The inequality in the other direction holds as well, and we 
get that t' ~ t as required. 

Case 3: {varj(t)} < {w} and there exists j R with {varj(s')} < {varj(s')}. 
In this case let I be the variable with maximum fractional part in t, i.e. the last one which 
did not "jump" above an integer due to {w}. The variable with next bigger fractional part 
in s (and by ~ also in s') is varj(s), as depicted in Figure El 

To transfer the move to s' , consider these two variables in s' as depicted in Figured] 
and let 5 = {varj(s')} — {var;(s')}. 
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{vavi(s')} {var,(s)} {varj(s')} 1 {var;(t)} + l 



1 1 1 

. . & . 

[varj(s')] - vari(s') 

Figure 7: Lemma 15.21 Case 2 

{var^(s)} {vari(s)}{vari(t)} 1 {varj(t)} + 1 
1 1 1 1 1 



Figure 8: Lemma 15.21 Case 3 for s 



{vaxi(s')} {varj(s')} 
1 1 



5 |~varj(s')l - var;(s') 

Figure 9: Lemma 15.21 Case 3 for s' 

We set w' = [w\ + [varj(s')] — varj(s') + 0.9 • S. Again [w'] = [w] and clearly i is the 
variable with smallest fractional part in t' by construction. As s ~ s', the order of fractional 
parts in t and in t' is the same, and the integer bounds as well, thus t ~ t'. □ 

5.1. Choosing Discrete Moves. Knowing that we can shift a single move and preserve 
~-equi valence, we proceed to show that for IPGs over Z^, fully general strategies are not 
necessary. In fact, we can restrict ourselves to discrete strategies and, using this, reduce 
the games to discrete systems. Intuitively, a discrete strategy keeps the maximal distance 
of all variable valuations to the closest integer small. 

However, for the purposes of constructing an inductive proof of existence of a good 
discrete strategy, it is not convenient to work, for a state s, simply with the maximal 
distance 

maxj{min{varj(s) — |_varj(s)J, [varj(s)] — varj(s)}}. 

The reason is that for some moves it is impossible to keep this distance small for each variable 
and to go to an equivalent state as illustrated in Figure [10l In the depicted situation, if we 
move yi within e- neighbourhood of 7L (below z and z — 1 depict integers), then uq leaves it. 
To give a more suitable notion of distance for a state, let us, for r G R, define 

r — [r] if \r — |Y] | < |r — | ; 
r — \r\ otherwise. 

This function gives the distance to the closest integer, except that it is negative if the closest 
integer is greater than r, i.e. if the fractional part of r is > ^. as depicted in Figure [TT1 
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d(r) 



z — lUoz — 1 + e z — e yi z z + e 

Figure 10: Move where standard distance is necessarily increased. 
[r\ r \r] = [s\ s \s] 



d(r) > d(s) < 

Figure 11: Notation for distances between real numbers and integers. 

Please observe that for two real numbers a, b £ K+, it follows that 
|d(o + 6)| < |d(a)| + |d(6)|. 
Also, we observe that 

• if \d{a) + d(6)| < §, then d(a + b) = d(a) + d(6); 

• otherwise, if d(a),d(6) = \ or d(a),d(6) = 0, then d(a + b) = 0; 

• otherwise, if d(a), d(b) > 0, then d(a + b) = d(o) + d(6) - 1 < 0; 

• if d(a), d(6) < 0, then d(a + 6) = d(a) + d(6) + 1 > 0. 

For a state s, we use the abbreviation dj(s) = d(varj(s)). We denote by d/(s) = 
min i=1 ...k{di(s)} and d r (s) = max i=1 ...fc{dj(s)} the smallest and biggest of all values di(s), 
and additionally we define the total distance as follows 

( \di(s)\ if dj(s) < for alH G {1, . . . , k}, 

d*(s)=< d r (s) if di(s) > for all i € {1, ... , k}, 

[ [dj(s)| + d r (s) otherwise. 

This is illustrated in Figure fT2j where k stands for an integer and yo to 2/2 stand for 
the fractional parts of the values of the respective variables. In this example, yo has the 
smallest fractional part, i.e. the biggest one bigger than ^ and yi has the biggest fractional 
part (less than |). 

First, we will prove that we can always correct a strategy that makes one step which is 
not e-discrete. By doing so, we will guarantee that we reach a state with the same location 
that is allowed by the labelling and that the values of the variables only change within the 
same intervals. 



yo_ 

— \— 



y3 



yi 



J/2 

— I— 



-d. 



Figure 12: Maximal, minimal and total distances for a state. 
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Lemma 5.3. Let s be a state with d*(s) < -g and t be a successor of s, where (s,t) is 
allowed by I = (I,C,R). Then, for every < e < d*(s), there exists a successor t' + of s 
such that 

• t ~ t' + , 

• (s,t' + ) is allowed by I, and 

• d*(t' + ) < d*(s) +e. 

Proof. We assume that d*(t) > d*(s) + e, otherwise we can take t' + = t. Let w € / be the 
increase in the (non-reset) values from s to t, i.e. w = t —r s. We make a case distinction 
regarding the computation of d*(t). 
Case 1: d*(t) = |dj(t)|. 

We correct w in the following way: w' = w + c — e, where c = min{|d r (t)|, if d(w) < 

and c = |d r (i)| otherwise. 

First, we have to show that [w'] G [w] and therefore w' £ /. Since di(t) = di(t) = varj(i) 
for one i, we can conclude from |d(varj(s) + w)\ < |d(vaxj(s))| + |d(u>)| that |d(u/)| > e and 
therefore w' > w, hence w 1 > [^J • Furthermore, w' < \w] . Otherwise, if d(w) < then 
w' = w + c — e > \w\ = w + |d(w)|. This is a contradiction, since by definition c < |d(u>)|. 

If d(w) > 0, we also conclude w' < \w], since c — e < \. 

Next, we have to show, that all variables that are not reset stay in the same interval. 
We consider the case, where all values of the variables are increased, therefore we know that 
varj(t' + ) > [varj(t)J for all % R. We now have to show that also varj(t' + ) < [varj(i)]. Let 
j be the index of the variable which is the closest to the integers (in this case), i.e. j, such 
that d(varj(t)) = d r (t). 

vaij(t' + ) = v&Tj(s) + w' 

= varj (s) + w + c — e 

= varj (t) + c — e 

< \van(t)] =varj(t) + |dr(*)| 

Also, we have to show: d*(t' + ) < d*(s) + e. We know that |dj(t)| - \d r (t)\ < d*(s) and 
d*(t' + ) = \di(t' + )\ = |d(varj(t^_))| for one j and varj(i' + ) = varj(s) + w + c — e. Hence, 
d(vaij(t' + )) = di(t) + c — e, since \di(t) + c — e| < \. We can conclude that di(t' + ) = 
d{vaxj(l/ + ))<d*(8)+e. 

Case 2: d*(t) = \d r (t)\. 

Subcase 1: d(w) > 0: 
We correct w in the following way: w' = w + (1 — c) — e, where c = max{|d/(t)|, 

First, we have to show that [w 1 ] G [w] and therefore w' € /. Since d r (t) = dj(i) = varj(t) 
for one i, we can conclude from |d(vaxj(s) + w)\ < |d(varj(s))| + |d(tt))| that |d(u;)| > e and 
therefore w' > w, hence w' > [w\. Furthermore, w' < \w~\. Otherwise, since d(w) > and 
we assume that w' = w + (1 — c) — e > \w] = w + (1 — |d(iu)|). This is a contradiction, 
since by definition c > |d(u;)|. 

Next, we have to show, that all variables that are not reset stay in the same interval. 
We consider the case, where all values of the variables are increased, therefore we know that 
varj(t^) > [varj(£)J for all i R. We now have to show that also varj(i^_) < [~varj(t)~|. Let 
j be the index of the variable which is the closest to the integers (in this case), i.e. j, such 
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|dj| >d*{s^ + e 

l-\di\ 



<d*( s ) 



|dj| <J*(s) + e 

t'= 1 1 

Figure 13: Case 1 illustration 

that d(var = dj(i). 

V&Tj(t' + ) = V&Tj(s)+w' 

= vaij(s) + w + (1 — c) — e 

= varj(t) + (1 — c) — e 

< \vavi{t)] = vaxj(t) + (1 - |d,(*)| 



Also, we have to show: d*(t' + ) < d*(s) + e. We know that d r (t) - di(t) < d*(s) 
and d*(t' + ) = \d r (t' + )\ = \d(vax j(t' + ))\ for one j. vaij(t' + ) = vaij(s) + w + (1 — c) — e. 
Hence, d(vax j(t' + )) = d r (t) + (1 — c) + e — 1 = d r (t) — c + e. We can conclude that 
d r (i' + ) = d(var,(i' + )) < d*(s) + e. by definition of c. 

Subcase 2: d{w) < : 

In this case, from d*(s) < \ and d*(i) = d r (t) it follows that d(vari(s)) < for all %. Thus, 
we set to' = w + [to] — e and the lemma holds. 



|d r | >d*(s) + e 



t = 




<d*(s) 



\di\ <J*(s) + e 

t' + = 1 1 

Figure 14: Case 2 illustration 

Case 3: d*(t) = d r (t) + \d t {t)\. 
We correct w in the following way: w' = w + c — |, where c = min{|d;(i)|, 
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First, we have to show that [w 1 ] G [w] and therefore w' € /. Since d r (t) = di(t) = var,(i) 
for one i and d,(i) = dj(t) = vaxj(t) for one j, we can conclude from |d(varj(s) + w)\ < 
|d(varj(s))| + |d(u;)| and |d(varj(s) + w)\ < |d(varj(s))| + |d(wd| and |d(varj(s) + w)\ + 
|d(vari(a)+«;)| < |d(vari(a))|+|d(iu)|+|d(vaxj(s))|+|d(w)| < d*(s)+2|d(w)| and |d(var j (s)+ 
w)\ + |d(varj(s) + w)\ > d*(s) + e therefore |d(u;)| > §. Hence, w' > [w\. Furthermore, 
w 1 < \w~\, otherwise if d(w) < then assume w' = w + c — § > \w~\ = w + |d(u/)|. Then 
c — | > |d(iy)|. Contradiction. Otherwise, if d(w) > 0, then w' < \w], since by definition 
c<±. 

Next, we have to show, that all variables that are not reset stay in the same interval. 
We consider the case, where all values of the variables are increased, therefore we know that 
var,(i' + ) > [varj(t)J for all % R. We now have to show that also varj(t' + ) < pvarj(£)"|. Let 
j be the index of the variable with d(varj(£)) = di(t). 

vav j(t' + ) = vaij(t) + w' 

= varj (t ) + w + c — - 

= varj(i) + c-| 

< \vavi{t)] =var j (i) + |d;(i)| 

Thus we have to show: d*(t' + ) < d*(s) + e. We know that \d r (t) - (1 + d z (i))| < d*(s) 
and d*(t' + ) = |d,(i' + )| = |d(varj(t' + ))| for j such that d(var 3 -(t)) = d r (i). Also, var,(i' + ) = 
var,(s) + «; + c — |. We can conclude that d*(i' + ) < d*(s) + §. 

d r <d*( s ) |d, | 



|dj| <^(s) + e 

*+= 1 1 

+ 1 2/2 VI 1 

Figure 15: Case 3 illustration 

□ 

Knowing that, in one step, the move can always preserve small total distance, we can 
finally define discrete strategies. 

Definition 5.4. We call a strategy a e-discrete if for every s n +i = ct(sq . . . s n ) it holds that 
if d*(s n ) < e then d*(s n+ i) < d*(s n ) + t^ttj an d if for each i ~ Sj, then cr(so . . . s n ) ~ 

<7(S{,...<). 

Observe that it follows directly from the definition that if d*(so) < f and both players 
play discrete strategies, then d*(s n ) < e(l — ^tt)- 
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Example 5.5. To see that decreasing e in each step is sometimes crucial, consider the game 
with one variable depicted in Figure [TBI In each move Player has to choose a positive 
value in (0, 1). Player 1 can then decide to continue the play or leave the cycle and end the 
play with the negative accumulated value, i.e. —yo, as payoff. He cannot infinitely often 
decide to stay in the cycle as then the payoff would be oo as the priority is 0. An e-optimal 
strategy for Player as the maximising player is thus to start with | and decrease in each 
step. Please note that the value of the game is 0. 




Figure 16: Game in which the values played must decrease. 



We now extend the previous lemma to one that allows for the shifting of a whole move. 

Lemma 5.6. Let s be a state and t a successor of s, where (s,t) is allowed by I. Let s' be 
a state with d*(s') < \, such that s ~ s 1 . Then, for every e > 0, there exists a successor t' 
of s' allowed by I such that 

• s' ~ t' and 

• d*(t') < d*(s')+e. 

Proof. Since s ~ s' and t £ succ(s) is allowed by I, we know, by Lemma 15.21 that there 
exists a state t' £ succ(s') allowed by the same label I, such that t! ~ t. We also know from 
LemmaEHthat, for every choice of e, there exists t + € succ(s') such that d*(i + ) < d*(s')+e 
and if ~ t+. Since t' ~ t, this also means that i+ ~ t, hence i+ fulfils the requirements 
above. □ 

We can conclude that discrete strategies allow for the approximation of game values. 

Lemma 5.7. Fix an e-discrete strategy pd of Player 1 — i in Q, e < j. For every strategy a 
of Player i there exists an e-discrete strategy ad, such that, for every starting state s$ with 
d*(s ) < §, ifir(a,p d ,so) = s si . . . and ir(a d , Pd, So) = s' s[ . . ., then s, ~ s[ for all i. 

Proof. We only prove this lemma for Player 0, the case of Player 1 is analogous. We define 
ad inductively. Let so be the starting state. If a(so) = s\, then by Lemma I5U1 there is a 
s[ ~ si with d*(s' 1 ) < d*(so) + f , and we set ad(so) = s[. 

Let h = so • • • Sfc and h! = s' . . . s' k be finite play histories such that h is a prefix of 
ir(a, pd, so) and h! is consistent with pd and ad as defined thus far. Note that so = s' Q and 
by inductive assumption Sj ~ s^ for < i < k, and d*(sfc) < e(l — ^tt)- If °~( s o ■ ■ ■ s k) = 
Sk+i G succ(sfc)) then, by Lemma [5761 there also exists a state s' k+1 € succ(s^.) such that 
s' k , 1 ~ Sk+i and d*(s' k+1 ) < d*(sk) + §• Thus, we set ad(s' . . . s' k ) to s' k+1 . For all other 
histories h" = s' ' . . . s k with s'[ ~ s,, we set a(h") = s k+1 for any s k+1 equivalent with Sk, 
which exists by Lemma |5.2[ and we can pick a discrete one if d*(s' k ) < e by Lemma 15.61 

By construction, the strategy ad is discrete and if 7r(a, pd, so) = so$i ■ ■ ■ and n(ad, Pd, so) 
= s'qS^ . . . then Sj ~ s^. □ 
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Proposition 5.8. Let Q be a flat interval parity game. Let Tj be the set of all strategies 
for player i and Aj the set of all discrete strategies for player i and m be the highest value 
that occurs as a multiplicative factor in l. Then it holds, for every starting state s, that 

sup inf p(ir(a, p, s)) — sup inf p(vr(o", p, s)) <m. 
o-gr peri <reA peAi 

Proof. Case 1: assume that 

sup inf p(7r(<7, p, s)) — sup inf p(vr((T, p, s)) > m. 
o-eAo peAi o-er peri 

Then there exists a strategy ad € Ao such that 

inf p(7r(a d ,p, s)) - inf p(7r(cr d , p, s) > m. 
peAi peri 

Fix a strategy pj n f € Ti, for which 

p{ir(o-d,PiTd,s)) < inf p(n(a d , p, s)) + e. 
peri 

From Lemma [5.7| we know, that there is a discrete strategy Pi n f d G Ai which is a discrete ver- 
sion of pi n f against ad- From the above, it follows that p(7r(c7rf, Pin{ d , s)) — p(7r(o" ( i, p Ui { , s)) > 
m. This is a contradiction, since we know from Lemma 15.71 that all states in both plays 
are equivalent, so for finite plays also the final states are equivalent, which means that the 
payoffs cannot differ by more than m as it is the highest occurring multiplicative factor in 
l. If both plays are infinite, then, by definition of ~, the payoffs are equal. 
Case 2: assume that 

sup inf p(7r(<7, p, s)) — sup inf p(vr((T, p, s)) > m. 
<rer per x o-eA peAi 

By Theorem 13.51 every interval parity game is determined, thus 

sup inf p(ir(a, p, s)) = inf sup p(7r(cr, p, s)). 
o-er peri per x o-er 

In the next section, we show that restricting to discrete strategies corresponds to playing a 
counter-reset game, and since these are again determined games, we get that 

sup inf p(n(a, p, s)) = inf sup p(vr((T, p, s)). 
<reA peAi peAi o-eAo 

Therefore we can rewrite the assumption of this case as 

inf sup p(7r(<7, p, s)) — inf sup p(vr((T, p, s)) > m. 
peri <rer peAi aeA 

Then there exists a strategy pd € Ai such that 

sup p(vr(<r, p d ,s)) - sup p(vr(cr,p d ,s)) > m. 
aero creAo 

Fix a strategy <7 sup G Tq, for which 

p(7r(o- sup , p d , s)) > sup p(7r(cr, p d , s)) - e. 

From Lemma 15.71 we know, that there again is a discrete strategy a SVLPd 6 Ao which is 
a discrete version of <7 sup against pd- From the above, it follows that p(7r(<7 sup , pd, s)) — 
p(7r(c7 SU p d , pd, s)) > m, which again contradicts that all states in these two plays are equiv- 
alent. □ 
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6. Counter-Reset Games 



In this section, we introduce counter-reset games and show, using the discretisation results 
from the previous section, that approximating the value of an IPG over can be reduced 
to solving a counter-parity game. We then solve these games using an algorithm from [2]. 

By Proposition 15.81 above, we can restrict both players in a flat IPG to use e-discrete 
strategies to approximate the value of a flat interval game up to the maximal multiplicative 
factor m. Multiplying the game by any number q does not change the multiplicative factors 
in i but multiplies the value of the game by q. Thus, to approximate the value of Q up to ^ it 
suffices to play e-discrete strategies mn-m-Q. When players use only discrete strategies, the 
chosen values remain close to integers (possibly being up to e bigger or smaller). Whether 
the value is bigger, equal or smaller than an integer can be stored in the state, as well as 
whether the value of a variable is smaller or bigger than any of the (non-infinite) bounds in 
constraint intervals. This way, we can eliminate both e's and constraints and are left with 
the following games. 

Definition 6.1. A counter-reset game is a flat interval parity game in which in each label 
/ = (I,C,R) the constraints C are trivially true and the interval / is either [0,0] or [1,1], 
i.e. either all variables are incremented by 1 or all are left intact. 

Example 6.2. In Figure El we depict a simple counter-reset game. As usual, circles repre- 
sent positions of Player and boxes those of Player 1. Priorities, payoff functions, intervals 
and reset sets are also depicted as usual next to the corresponding nodes or above tran- 
sitions. In this game, we have two variables, yo,yi and as mentioned above, there are no 
constraints on these variables in counter-reset games, but they can be reset. The only 
choice in this game that Player has is to increase all variables ("choose" 1 from [1,1]) 
and Player 1 can do the same or end the game and get a payoff of —yo- Since he wants 
to minimise, his best strategy is to loop as long as possible but not infinitely long, as the 
lowest priority on the according cycle is 0. Since he can achieve arbitrary small values this 
way, the value of this game (starting at vq or v±) is — oo. 




Figure 17: Simple counter-reset game 

Lemma 6.3. Let Q be an IPG over with maximal absolute value of the multiplicative 
factor in i equal to m. For each n G N there exists a counter-reset game Q' n such that for 
all states s in which all variables are integers: 

1 

< -. 

n 

Proof. Consider first the game Q" = n-m-Q. By construction, the multiplicative factors in 
l do not change and thus their maximal value in Q" is still m. By Lemma 14.41 i n an states 



valCJ(s) 



v&\Q' n (n ■ m ■ s) 



n ■ m 
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s holds 



vaK7(s) 



vaig"(s) 



n ■ m 



Moreover, by Proposition 15.81 applied to Q' 



7/ 



vaig"(s) 



sup inf p(ttg"((J, p, s 



)) < rn, 



o-eAo peAi 



and therefore 



sup inf p(TT G „(a,p,s)) 



1 

< -. 

n 



o-gAq peAi 



n ■ m 



We will now show how to construct the counter-reset game Q 1 with value equal to 

sup inf p(7TG"((7, p, s)), i.e. to the value of Q" when both players play e-discrete strategies. 
<tgA peAj 

To this end, we first construct the game Q' which still has constraints, but in which all 
intervals are [k, k] for some k € N. The game Q' is constructed from Q" by replacing each 
position v by 3 positions v 11 "' iM . The sequence i\...iM € {—1,0, 1} M keeps track, for 
each variable, whether it is currently smaller, greater, or equal to an integer. The interval 
labels are now converted in the following way. If a move with interval [n, n + k) and resets 
R is taken from a position v 11 "' lM in G' Q and would lead to w in Q" , then a sequence of moves 
with labels [/, /] for each n < I < n + k is added, with the /-labelled move leading to w n '" jM 
such that: 

• if one jfc > ik then all jk > for k G {0, . . . , M}, and the same if jj. < or = i^, 

• if I = n then each > (interval was downwards-closed), and 

• if I = k then each < (interval was upwards-open). 

The situation for open, closed, and open-closed intervals is analogous. The plays which use 
discrete strategies in Q" can now be directly transferred to plays in Q' in which indeed in 
v i\—%m th e s [g n f the fractional part of yj is equal to ij. The same can be done in the other 
direction, as the constraints listed above allow to choose a value in the interval which leads 
to the appropriate change in the sign sequence. Therefore 

vaK/Q = sup inf p(ir G n (a, p, s)). 



To eliminate the constraints from move labels in Q' Q we determine the highest non- 
infinite bound b which appears in these constraints (both on the left and on the right side 
of an interval). Then, we construct Q' as the synchronous product of Q' with a memory of 
size (b + 2) M which remembers, for each variable yi, whether yi is greater than b or equal 
to b, b — 1, . . . , 0. With this memory, we resolve all constraints and remove them from move 



Counter reset games are another representation of a class of counter parity games, which 
were recently studied in [2], where an algorithm to solve such games was given, improving 
our previous decidability result [9]. 

Theorem 6.4 ([2]). For any finite counter parity game Q and initial vertex v, the value 
v&\Q(v) can be computed in 6EXPTIME. When the number of counters is fixed, the value 
can be computed in 4EXPTIME. 



o-eAo peAi 



labels in Q' . 



□ 
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Corollary 6.5. For any finite counter reset game Q with a starting state s where all counters 
are integers, the value va\Q(s) can be computed in 6EXPTIME. With fixed number of 
counters, the value can be computed in 4EXPTIME. 

7. Conclusions and Future Work 

We conclude by completing the proof of our main Theorem 12.71 We first observe that, by 
Theorem 13.51 evaluating a Qfi- formula on a system is equivalent to calculating the value 
of the corresponding model-checking game. We can then turn this game into a flat one by 
Lemma 14.21 and then into one over by Corollary 14.51 By Lemma 16.31 the value of such a 
game can be approximated with arbitrary precision by counter-reset games, which we can 
solve by Corollary 16.51 

All together, we proved that it is possible to approximate the values of quantitative 
//-calculus formulae on initialised linear hybrid systems with arbitrary precision. With the 
recent result on counter parity games, we are even able to provide an elementary algorithm 
- as the game Q' n in Lemma [6.31 is doubly-exponential in Q and n, the combined complexity 
of the above procedure is 8EXPTIME (note the doubly-exponential increase compared to 
Corollary 16. 5[) . 

This complexity is very high and the complexity bound is not tight, thus we can formu- 
late two immediate open problems: (1) can the exact value of [y] be computed? (2) what 
is the exact complexity of such a computation or its approximation? Another open question 
is whether we can use our methods for more general classes of games, e.g. for games with 
more complex payoff functions such as mean-payoff interval games. Furthermore, we are not 
only interested in theoretical complexity bounds but also in the practical applicability of 
quantitative model checking. This will require a more thorough algorithmic analysis of the 
problem. Also, since we reduce the problem to counter parity games, the implementation 
of a solver for this class of games is a necessary first step before we can exploit the methods 
presented in this paper in practice. However, even with further research needed to answer 
these challenges, our result lays the foundation for using quantitative temporal logics in the 
verification of hybrid systems. 
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